Problems with Hijack This and C Cleaner

[sistershandy]

Hi
I am really worried about my computer. Recently it has been shutting itself down randomly, but seem to have resolved this problem by updating a modem driver. However, I now have a problem accessing both Hijack THis and C Cleaner. Everytime I go near them the computer kind of half logs off, and won't allow me to open the programs. I cannot access sites realted to these progrms wither, as the internet just shuts down! I have tried accessing them to rename the files, but again, the partial logging off thing happens.
I did actually manage to run both programs in safe mode (after numerous attempts) and have attached the Hijack THis log in a separate thread (I am new to this and posted it in the wrong place).
https://www.techspot.com/vb/topic74275.html
Should I be worried???
Please help!
PS I have had to write Hijack This as two words, o that my computer will accept it!

 

[raybay]

Have you run a good antivirus, antispyware system? Have you run your Windows XP disc in repair mode? Have you tried going to Add and Remove Software to remove both HiJack and CCleaner? What protection systems do you have installed?
Please describe the brand and model of computer, as well as the configuration.

 

[howard_hopkinso]

Hello and welcome to Techspot.

It sounds like you have a real nasty infection.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly, or in your case, as many as you can.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

Still having problems!

Hi Howard
Thanks for all your help. I followed the instructions as closely as I could, but was unable to run Hijack This or CCleaner other than in safe mode (I ran Hijack THis at the end of the proces in Safe Mode and have attached the log)
When running the online scanner, two viruses flashed up on the AVG warning:
1. TrojanhorseGeneric2.FAR (C:\WINDOWS\Canon-Sensor.exe)
2. Trojanhorselop.AH (C:\WINDOWS\sdyphl.dll)
The program said it was unable to quarantine or fix the items.
However, they have never shown up before, and didn't show up in any of the follow up scans????
I have attached the combifix log and HJT log (as done in safe mode).
AVG AntiSpyware found nothing at all.
AVG Antiroot found:
C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe,Hidden application
only.
Hope you cn help!
Mel

 

[howard_hopkinso]

C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe is safe and is nothing to worry about. It`s part of the Musicmatch programme.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log from normal mode if you can.

Regards Howard

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

!!!!

Hi again
I have tried to follow your intructions but every time I click on the link you provided Internet Explorer shuts itself off!
This is the same thing that hppens if I try to access anything connected with Hijack This or CCleaner in Normal mode.
Sorry!!!
Mel

 

[howard_hopkinso]

Ok, try downloading and installing Firefox. When it askes you if you want to import anything, don`t import nothing. Then see if you can access the links above and let me know.

http://www.mozilla.com/en-US/firefox/

Regards Howard

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

Still No Joy!

I have tried but the ame thing still happens where Internet Explorer shuts down when I try to access the links!
Sorry!
Mel

 

[howard_hopkinso]

Don`t be sorry, it`s not your fault.

I have sent you the Avenger programme and script via email. Hopefully, you`ll be able to use the programme as per my instructions.

Please let me know the outcome.

Regards Howard

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

Grrrrrrr!

Oh no! Same thing still happens when I try to download it! The 'Save/ Open' option briefly flashes up before the internet explorer closes down!
Mel

 

[howard_hopkinso]

Damn, let`s try this instead.

Try booting into safe mode with networking and see if you get any joy and try using Firefox, rather than Internet Explorer.

Regards Howard

Edit: I`m going offline now for a few hours(need some sleep), but I promise I`ll be back to try and help you out.

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

Am I Being Stupid??!!

I tried booting in safe mode with networking, but couldn't access the internet. Not sure what I'm doing!!!!
Mel

 

[howard_hopkinso]

Ok, let`s see if we can manually remove some of these nasties.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

checkthis files directory

Close control panel

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ciscospeed.exe
CheckThis1991.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\ciscospeed.exe",

O4 - HKLM\..\Run: [Dit] Dit.exe

O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

O16 - DPF: {34DDA5F1-153C-488D-BB3B-6F397270AE48} - http://gromozon.com/d565758b/sm/50305/1/xp/FreeAccess.ocx

O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab

O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.asda-photo.co.uk/wpp/asda/app/opcuploader.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

c:\windows\ciscospeed.exe
C:\Program Files\checkthis files directory<Delete the entire folder.
C:\WINDOWS\sdyph1.dll
C:\WINDOWS\system32\[/b]lpt4.ktb[/b]

Reboot into normal mode and rehide your protected OS files.

See if you can now post a HJT log from normal mode.

Regards Howard

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

A little trouble!!!

Hi Howard
I'm having a little trouble as Hijack This will not work even in safe mode at the minute! I'm going to run the virus checks I did last night then try it again, but it may take some time. Hopefully it will work.
Thanks again
Mel

 

[momok]

Hi

I suspect HijackThis was simply removed from her system during the course of this solution.

Click on the processes tab and end process for(if there).

ciscospeed.exe
CheckThis1991.exe
.
.
.
Locate and delete the following bold files and/or directories(if there).

c:\windows\ciscospeed.exe
C:\Program Files\checkthis files directory<Delete the entire folder

Your log shows that your HijackThis is outdated at v 1.99.1
Did you rename HijackThis as CheckThis1991.exe?

If so then your program was simply removed.

 

[sistershandy]

Alternative User

Hi
I have just logged on as the other user on my machine and I am able to run both the Hijack This and CCleaner programs.
Does this make any difference or do I need to be logged on as me to do this, as this is where the problems seem to be occurring?
Thanks
Mel

 

[howard_hopkinso]

Please post a HJT log from the user account you`re currently logged on as. also, see if you can run the Avenger programme as per the instructions.

Regards Howard

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

Hmmmm!

Hi
Now it won't work as either user!!!!
I did a scan earlir and saved it. I've attached it for you.
Hope it's ok!
It's now starting to drive me mad!!!!
Mel

 

[howard_hopkinso]

Try this and see if it helps. If it doesn`t, then you need tio start thinking about backing up your important data and reformatting.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ciscospeed.exe

Close task manager.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\sdyph1.dll
C:\WINDOWS\system32\lpt4.ktb
c:\windows\ciscospeed.exe

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log and let me know how it went.

Regards Howard

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

Still no joy!

It doesn't seem to have worked.
Still can't run HJT and another Trojan Horse mesage just flshed up!
I'm calling it a day - maybe tomorrow will bring new hope!!!!!
Thanks again for your help, I'll give it another go in the morning and let you know how it goes.
Mel
PS We have a separate D-Drive for documents - if I need to reformat, can I leave this as it is, or will I need to do all drives?

 

[howard_hopkinso]

Do a antivirus/antispyware scan on the D drive and see if anything is found. Providing the documents are not in the .doc format, there`s very little chance of infection.

Regards Howard

This thread is for the use of sistershandy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sistershandy]

Still No Joy!!!!!

Hi again
I am now at a complete loss of what to do! I have tried everyting you suggested. This morning, my computer allowed me to download the latest versions of both Hijack This and CCleaner so I thought mu luck was in, but after following the Trojan virus removal steps it still hasn't got rid of my nasties! I know where they are but cn't hift them. AVG Antivirus won't run properly either now, as it simply shuts itself down after 30 minutes!!!!
It just gets better doesn't it!!
Is my only hope refirmatting?
Thanks for everything
Mel

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

If you still can`t run the Avenger, then I advise you to reformat your system as this problem obviously can`t be fixed.

Regards Howard